CAPEC-702: Exploiting Incorrect Chaining or Granularity of Hardware Debug Components
An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.
Overview
Chip designers often include design elements in a chip for debugging and troubleshooting such as: Various Test Access Ports (TAPs) which allow boundary scan commands to be executed. Scan cells that allow the chip to be used as a "stimulus and response" mechanism for scanning the internal components of a chip. Custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs. Because devices commonly have multiple chips and debug components, designers will connect debug components and expose them through a single external interface, which is referred to as “chaining”. Logic errors during design or synthesis could misconfigure the chaining of the debug components, which could allow unintended access. TAPs are also commonly referred to as JTAG interfaces.